IPSEC tunnels with crypto maps
IPSEC = Black magic?
IPSEC tunnels may seem like some kind of black magic that firewalls just happen to figure out how they work. Especially when you start looking at IPSEC configuration at cli level. I expect the topic to come up at the CCIE lab and probably with several twists and definitely some DMVPN as well.
IKE = Internet Key Exchange, protocol used to set up a Seurity Association (SA).
ISAKMP = Internet Security Association and Key Management Protocol, is apart of IKE and is a protocol framework that defines mechanics for authentication and key exchange. Confusingly vendors uses the terms isakmp and ike phase 1 interchangebly, probably becuase the only implementation of IKE in Cisco routers is with isakmp.
IKE Phase 1 = Authenticates the IPSEC peers and sets up a secure IKE Security Association(SA) and sets up a secure channel for next phase.
IKE Phase 2 = Negotiates the IPSEC SA parameters configured in each end and sets up same IPSEC SA’s on each device. For Cisco devices one SA is negotiated per entry in the Crypto ACL.
Tunnel mode = Encapsulates the whole IP packet into a new one with new source/destination addresses.
Transport Mode = Keeps the original IP-header and encrypts only the payload. This ofcourse consumes less overhead.
Diffie-Hellman = Or “DH Group” is a technique used to generate a shared secret between to parties, this is done in a way where the secrets would never be sent or transferred but created with the remote peer. This enables two routers to together create a new key and then use this key to encrypt traffic and therefore, the key will never be exposed even if traffic gets recorded there is no way to figure out what was sent. When Diffie Hellman is used even in the phase2 that is what we call PFS or perfect forward secrecy.
The steps needed to configure an IPSEC tunnel in Cisco IOS are:
- Configure a matching isakmp policy including;
- Hash – MD5 or SHA
- Authentication – pre-shared key or RSA
- DH group – which Diffie Hellman group to use.
- Encryption – AES/DES/3DES
- If pre-shared key is used – configure a key for the peer.
- Transform-set – Tells the router how which crypto to use for phase 2
- ACL to match traffic to be encrypted – I’ll come back to this!
- Configure a Crypto Map containing;
- Transform-set to use
- Which ACL to use.
- Apply the Crypto map to the outgoing interface.
I tried to show the configuration and what to match in the picture here:
Back to the step 4, “ACL to match traffic to be encrypted”.
The ACL used in the crypto map is used to match which traffic to encrypt. It has to match the opposite ends crypto map where each entry states one SA. The ACL shall not be an exact copy – it has to be a mirrored acl in the other side, matching the local networks in the direction towards the other end via the tunnel.
For example with the tipology above:
SiteA has 10.0.100.0/16 on its side and on the SiteB the network 10.0.200.0/16 resides.
SiteA’s Crypto map ACL would look like:
permit ip 10.0.100.0 0.0.0.255 10.0.200.0 0.0.0.255
(10.0.100.0/24 -> 10.0.200.0/24)
And the other side would have the opposite in its crypt map ACL:
permit ip 10.0.200.0 0.0.0.255 10.0.100.0 0.0.0.255
(10.0.200.0/24 -> 10.0.100.0/24)